In this article we ask how a financial firm should set up a good anti-fraud culture and then translate that into concrete jobs and responsibilities.

In today’s fast-paced, multinational and just-in time business environment, companies are under increasing pressure to make themselves more efficient and streamline their businesses to benefit the bottom line. Equally, because information flows to the public and other people with a stake in the business so quickly these days, organisations ought to be proactive to ensure that they are concentrating on protecting their reputations, fostering ethical environments and complying with the ever-changing wishes of their regulators. Compliance and legal functions are becoming ever more aware that there is no room for complacency when it comes to managing risks.

With a spate of large-scale corporate fraud cases hitting the headlines in recent months, public debate is raging as to who is responsible for stopping the fraudsters in their tracks. Is it the responsibility of the statutory auditors, the internal audit team, the compliance team in house, or the board of the company to ensure that adequate prevention and detection mechanisms are in place to deal with threats before it is too late and to find out whether large scale fraud has taken place?

Different perceptions

It is commonly thought that it is up to either the internal or external auditors to identify fraud in an organisation. Fraud, without doubt, ought to be on the auditors' radar, but people frequently misunderstand the actual jobs of both external and internal auditors. The job of the external auditor is to provide assurance to people who have an interest in the business, including shareholders, employees, financiers and customers, allowing them to make decisions about their relationships with the company. An external auditor, on the other hand, ought to concentrate on the most significant or relevant things that are likely to affect these people's decisions.

Complementary to this, internal audit’s primary regard is to assess the design and effectiveness of internal controls in a company, the better to assure the management of the company that the controls have been designed effectively and are functioning as planned.

The sense and the substance

In undertaking either of these important responsibilities, it is vital that both internal and external auditors should retain a level of professional scepticism which allows them to think beyond the numbers or the process, and challenge the substance and the sense of what they are seeing. In some of the recent high-profile fraud cases, a question certainly hangs over whether these parties were sceptical enough and whether they were good enough at following up on any suspicions that they may have developed during their work.

There is also a question of deliberate deception. The management and employees of a company have access to far more information and knowledge about what is really happening than the snapshot provided to either internal or external auditors. If they willingly deceive the checkers, then an expected level of professional scepticism may not detect this. How far ought they to go? Given that audit firms are also trying to work economically themselves and be competitive, more junior staff frequently conduct the detailed work and they may not have the experience to spot problems, or the confidence to challenge senior managers. These are all reasons why more severe dilemmas may go unidentified or unreported.

The path to an anti-fraud culture

The only real way in which an organisation can feel comfortable that it is doing enough to address the fraud-related risks that it runs is to put fraud risk assessment and response on the agenda at the highest level, and properly disseminate this downwards. Certain industries have been leaders in defining and framing best practice – for example in the financial services sector, the Financial Conduct Authority has set out the importance of creating a strong organisational culture and being proactive in managing the ethical component of compliance risk.

The introduction of the Senior Managers and Certification Regime (SM&CR), which came into effect three years ago, is a good example of this. The SM&CR sets standards for the behaviour of financial services staff and aims to promote a culture in which senior executives take responsibility for spotting the places where any harm to the business might occur, and take action to prevent it. This, of course, includes fraudulent activity. These principles can be made to apply in every sector.

By building up a culture of compliance that goes beyond ticking boxes and meeting regulatory requirements, senior managers can give employees the power and energy to question suspicious activity and seek the truth behind various transactions. Fraud can occur at all levels of a business, so it is vital that such a culture is spread across the whole organisation, with junior members of the team feeling just as empowered to raise concerns as the CEO.

From culture to practice

Even when there is a strong anti-fraud culture at the top, this does not take away the need to translate that culture into a consideration of detailed processes that prevent fraud and monitor things proactively. There are many tools that every firm can use when translating its culture into specific and tangible responsibilities, from targeted data analysis to audits and 'due diligence' regarding business touchpoints (i.e. modes of interaction between a customer and a business). The key to successful fraud risk programmes is the marrying-up of a deep routed culture of doing the right thing, with specific jobs, responsibilities and activities to prevent and detect fraud on the front line. This ought to be a holistic and evolving process, which changes the way it works in line with the ever-changing environment.

* Matthew Weitz can be reached on +44 20 7029 5193 or at matthew.weitz@kroll.com